#!/bin/bash
#
# Copyright 2011, The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# A shell script to import key/certificate pairs into an existing Java keystore
#
# Usage: keytool-importkeypair [-k keystore] [-p storepass] \ 
#          -pk8 pk8 -cert cert -alias key_alias
#
#
# This script is used to import a key/certificate pair into a Java keystore.
# If a keystore is not specified then the key pair is imported into ~/.keystore
# in the user’s home directory. The passphrase can also be read from stdin.
#
# Example:
#
# Adding Android platform level certificates to the Android SDK
#
# keytool-importkeypair -k ~/.android/debug.keystore -p android \ 
#   -pk8 platform.pk8 -cert platform.x509.pem -alias platform
#

DEFAULT_KEYSTORE=$HOME/.keystore
keystore=$DEFAULT_KEYSTORE
pk8=""
cert=""
alias=""
passphrase=""
tmpdir=""

scriptname=`basename $0`

usage() {
cat << EOF
usage: ${scriptname} [-k keystore] [-p storepass]
-pk8 pk8 -cert cert -alias key_alias

This script is used to import a key/certificate pair
into a Java keystore.

If a keystore is not specified then the key pair is imported into
~/.keystore in the user’s home directory.

Options:

 -k FILE	Keystore file. If not specified, defaults to ~/.keystore
 -p PASSWORD	Keystore password. If not specified, you will be prompted
		for the password.
 -pk8 FILE	PKCS#8 key file (in DER format).
 -cert FILE	Certificate file (in PEM format).
 -alias STRING	Alias for the key/certificate pair.

EOF
}

cleanup() {
  if [ -n "${tmpdir}" -a -d "${tmpdir}" ]; then
    rm -rf "${tmpdir}"
  fi
}

trap cleanup EXIT

while [ $# -gt 0 ]; do
  case "$1" in
    -k)
      keystore="$2"; shift 2;;
    -p)
      passphrase="$2"; shift 2;;
    -pk8)
      pk8="$2"; shift 2;;
    -cert)
      cert="$2"; shift 2;;
    -alias)
      alias="$2"; shift 2;;
    --)
      shift; break;;
    -h)
      usage; exit 0;;
    -*)
      usage; exit 1;;
    *)
      break;;
  esac
done

if [ -z "${pk8}" -o -z "${cert}" -o -z "${alias}" ]; then
   usage
   exit 1
fi

tmpdir=`mktemp -d /tmp/keytool-importkeypair.XXXXXX`

key="${tmpdir}/key"
p12="${tmpdir}/p12"

if [ -z "${passphrase}" ]; then
   # Request a passphrase
  read -p "Enter a passphrase: " -s passphrase
  echo ""
fi

# Convert PK8 to PEM KEY
openssl pkcs8 -inform DER -nocrypt -in "${pk8}" -out "${key}"

# Bundle CERT and KEY
openssl pkcs12 -export -in "${cert}" -inkey "${key}" -out "${p12}" -password pass:"${passphrase}" -name "${alias}"

# Print cert
echo -n "Importing \"${alias}\" with "
openssl x509 -noout -fingerprint -in "${cert}"

# Import P12 in Keystore
keytool -importkeystore -deststorepass "${passphrase}" -destkeystore "${keystore}" -srckeystore "${p12}" -srcstoretype PKCS12 -srcstorepass "${passphrase}" 

# Cleanup
cleanup